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Abstract. We explore the duality between the simnlation and extrac¬ 
tion of secret correlations in light of a similar well-known operational 
duality between the two notions of common information due to Wyner, 
and Gacs and Korner. For the inverse problem of simulating a tripartite 
noisy correlation from noiseless secret key and unlimited public commu¬ 
nication, we show that Winter’s (2005) result for the key cost in terms 
of a conditional version of Wyner’s common information can be simply 
reexpressed in terms of the existence of a bipartite protocol monotone. 
For the forward problem of key distillation from noisy correlations, we 
construct simple distributions for which the conditional Gacs and Korner 
common information achieves a tight bound on the secret key rate. We 
conjecture that this holds in general for non-communicative key agree¬ 
ment models. We also comment on the interconvertibility of secret cor¬ 
relations under local operations and public communication. 

Keywords: Information-theoretic security, secret key agreement, com¬ 
mon information, monotones 


1 Introduction 

Information-theoretic (IT) or unconditional security—widely acknowledged as 
the strictest notion of security has witnessed a renaissance since the 90’s, ar¬ 
guably followiirg Maurer’s seminal work on secret key (SK) agreement by public 
discussion from correlated source sequences m, m- Compared to computational 
complexity-based approaches, IT-security provides a framework for provable se¬ 
curity by bounding the adversary’s total information. Assumptions are made 
neither on the latter’s computational or memory resources nor on the unproven 
computational hardness of certain problems. By harnessing noise and appro¬ 
priate coding and signaling strategies at the physical layer (the lowest layer 
in the protocol stack), IT-security potentially complements conventional upper 
layer cryptographic protocols (e.g., RSA, DifHe-Hellman key exchange) and is 
an important component of future communication networks |19] . The paradigm 
is especially valuable for improving security in large-scale wireless networks and 
distributed networks with minimal infrastructure (e.g., mobile ad hoc sensor 
networks) where the broadcast nature of the transmission medium makes it par¬ 
ticularly vulnerable to attacks, and key distribution and management is difficult 
and computationally expensive m- 


But for all its advantages, unconditionally secure key distribution is impos¬ 
sible to realize from scratch, for instance, if the legitimate parties are only given 
access to a noiseless public communication channel [TEE]. This pessimism can 
however be relativized if the parties are additionally given access to simple aux¬ 
iliary devices (e.g., noisy correlations or communication channels) that are not 
completely under the control of an adversary mm- Thus, information-theoretic 
reductions between such primitives are of great interest. 

Interconvertibility of noisy tripartite correlations and a uniformly distributed, 
noiseless SK have been studied under the rubric of SK agreement by public 
discussion (called the forward problem [ 112 ] ') and the dual problem of simulating a 
noisy correlation from noiseless SK and public communication (called the inverse 
problem EM). In general, there are irreversible losses in exchanging noisy 
correlations in that, going from one noisy correlation to another and back is not 
lossless (even asymptotically) [3117] . In light of the resource character of noisy 
correlations in enabling SK agreement, and that of SK in simulating a tripartite 
correlation, quantifying such resources are of interest. 

To make things precise, consider three distant parties, honest Alice and 
Bob, and an adversary Eve who observe sequences A" = (Ai,..., A„), A" = 
(Ai,...,A„), and Z" = (Zi,...,Z„) respectively, where the sequence triple 
(A"y”Z") has the generic component variables {XYZ) ~ pxYZ- Starting with 
no initially shared SKs, and using only local operations and unlimited public 
communication (LOPC) over a noiseless, authenticated (but, otherwise insecure) 
channel, what is the maximum rate at which Alice and Bob can distil a SK (i.e., 
the maximum possible SK rate), such that Eve’s information (A" and the en¬ 
tire public discussion) about the generated SK is arbitrarily small? Conversely, 
starting with perfect SKs, what is the SK cost of approximately simulating the 
correlated triple XYZ using only LOPC? 

We explore this duality between the secrecy extractable from pxYZ and that 
required to simulate pxYZ in light of a similar well-known operational duality 
between the two notions of common information (Cl) due to Gacs and Korner |7] 
and Wyner [5] . For the inverse problem of simulating pxYZ from noiseless SK 
and unlimited public communication. Winter |?| gave a single-letter characteri¬ 
zation of the asymptotic minimal SK cost of formation in terms of a conditional 
version of Wyner’s CL We first show that the SK cost of formation can be sim¬ 
ply reexpressed in terms of the existence of a bipartite protocol monotone. For 
the forward problem of key distillation from pxYZ, we construct simple distri¬ 
butions for which the conditional Gacs and Korner GI captures the “explicit” 
secret GI, thus achieving a tight bound on the SK rate. We also comment on the 
interconvertibility of secret correlations under LOPG. 


2 Cl Duality and Secret Cl 

Random variables (RVs) and their finite alphabets are denoted using uppercase 
letters A and script letters X. A” denotes the sequence (Ai,...,A„). px{x) = 
Pr{A = a;} denotes the distribution (pmf) of a discrete RV A. X — Y — Z denotes 









that X,Y,Z form a Markov chain satisfying pxYZ = PxyPz\y- Likewise, X,Y,Z 
is said to form a conditional Markov chain given U ii X — UY — Z. The entropy of 
X is defined as H{X) = —mutual information of 
X and Y is given by I{X;Y) = H{X) — H{X\Y). The total variational distance 
between px and px’ is defined as Y\/{px,Px') = \Y.x(^x\Px{x) -px'{x)\. 

The zero pattern of pxY can be specified by its characteristic bipartite graph 
Bxy with the vertex set X uy and an edge connecting two vertices x and y iff 
PxY{x,y) > 0. If Bxy contains only a single connected component, we say that 
pxY is indecomposable. An ergodic decomposition of pxY{x,y) is defined by a 
unique partition of the space X x y into connected components. The following 
double markovity lemma [H] (also see Problem 16.25, p. 392 in m) is useful. 

Lemma 1. A triple of RVs {X,Y,Q) satisfies the double Markov conditions 

X-Y-Q,Y-X-Q (1) 

iff there exists a pmf pqi^xy such that H{Q'\X) = H{Q'\Y) = 0 and XY — Q' — 
Q. Furthermore, (1) implies I{XY;Q) < H{Q') with equality iff F[{Q'\Q) = 0. 

Proof. Given Pq\xy such that X — Y — Q and Y — X — Q, it follows that 
PxY{x,y) > 0 ^ PQ\XYiq\x,y) = PQ\x{q\x) = PQ\Y{q\y) Vg. Given an ergodic 
decomposition of pxY{x,y) such that X x y = [Jg,Xg^ x 3^,/, where the Xgds 
and yqds having different subscripts are disjoint, define pq'\xy as Q' = q' iff 
X € Xg> <=> y G yq'. Glearly F[{Q'\X) = H{Q'\Y) — 0. Then, for any Q = 
q and for every q', PQ\xYiq\'r) is constant over Xq> x ygi. This implies that 
PQ\XYiq\x,y) = PQiQ'iqW) so that XY — Q' — Q. The converse is obvious. 
Thus, given (1), we get Q' such that I{XY;Q\Q') = 0 so that I{XY]Q) = 
liXYQ’iQ) = liQ'iQ) = H{Q') - H{Q'\Q) < H{Q'). □ 

Gacs and Kdrner (GK) [7] defined Cl as the maximum rate of common ran¬ 
domness (CR) [R) that Alice and Bob, observing A" and F" separately can 
extract without communication {Rq = 0), i.e., Cgk{X;Y) = supiiL(/i(A”)) 
where the sup is taken over all sequences of pairs of deterministic mappings 
such that Pr{/f (A") ^ 0 as n —>■ cx) (see setup in Fig. 

nja)). GK showed that 

Cgk{X-,Y)= max H{Q) = H{Q,) (2) 

Q: H{Q\X)=H{Q\Y)=Q 

where Q* is the maximal common RV of the pair (A,F) induced by the ergodic 
decomposition ofpxY- For all A,F, we have I{X;Y) = i7(Q*)-|-/(A;F|Q*). We 
say that pxY is resolvable, if /(A;F|(5*) = 0. An alternative characterization of 
Cgk{X',Y) follows from Lemma 1 |12) . 

Cgk{X-Y) = max I{XY-Q), |Q| < |A||F| + 2 (3) 

—-A.— Y. — Y — Ji. 

Cgk{X;Y) is identically zero for all indecomposable distributions. For example, 
a binary symmetric channel with non-zero crossover probability is indecompos¬ 
able and hence Cgk{X;Y) = 0. Thus, CR is a far stronger resource than cor¬ 
relation, in that the latter does not result in common random bits, in general. 


Nevertheless, when Alice communicates with Bob {Rq > 0), they can unlock 
hidden layers of potential CR [5]. With a high enough rate of communication 
(that is independent of Bob’s output), the CR rate increases to I{X]Y) [9]. 

A conditional version of GK Cl is defined as follows. 

Cgk{X]Y\Z) = H(Q^\Z)= max H{Q\Z) = max I{XY-,Q\Z) (4) 

Q:H{Q\X Z)=^0 Q—X.Z—Y 

hIq\YZ)={) Q-YZ-X 

Conditioning always reduces GK GI, i.e., Cgk{X;Y\Z) < Cgk{X]Y). We say 
that pxYZ is conditionally resolvable, if I{X;Y\ZQ:f) = 0. 

Wyner [5] defined GI as the minimum rate of CR (R) needed to generate A" 
and K" separately using local operations (independent noisy channels: Q A”, 
Q —>• K") and no communication {Rq = 0) (see setup in Fig. [T](b)). 

Cw{X-Y) = min I{XY-,Q), |Q| < |A||3;| (5) 

A —— Y 

Likewise, a conditional version of Wyner’s Cl is defined as follows. 

Cw{X-,Y\Z) = ^ min I{XY-,Q\Z) (6) 

C^:A —— y 

CwiX;Y) quantifies the resource cost for the distributed approximate simulation 
of pxY- When Alice communicates with Bob {Rq > 0), with a high enough rate 
of communication (independent of Bob’s output), the CR rate reduces to I{X]Y) 
[9]. Reversing the direction of Alice’s operation (A" —)• Q") (see Fig. [T](c)) leads 
to a two-stage simulation of a noisy channel via the Markov chain X — Q — Y . 
Now Alice and Bob can use the reverse Shannon theorem m to simulate a 
first stage, with Alice mapping A" to some intermediate RV Q" which she 
sends noiselessly to Bob. In the second stage, Bob locally maps Q" to get K”. 
This gives a nontrivial tradeoff between the (noiseless) communication rate Rq 
and CR rate R leading to an alternative characterization of Wyner’s Cl as the 
communication cost of distributed channel simulation without any CR (i? = 0). 
With unlimited CR, the cost reduces to I{X-,Y) [9]. Finally, to complete the 
duality, we note the following well-known relation between the different notions 
of Cl [T2]: Cgk{X-Y) < I{X;Y) < Cw{X;Y) with equality holding iff pxY is 
resolvable, whence Cgk{X;Y) = I{X;Y) <^4- I{X;Y) = Cw{X-,Y). 

The setup for the standard SK agreement scenario |ll2l;ill4lldlRi| shown in 
Fig. (Ud) is a generalization of the GK setup (see Fig.[T](a)) that now allows for 
interactive communication. Consider the following distributed communication 
protocol, Uka- Alice (A) and Bob {Y) communicate interactively over an au¬ 
thenticated (noiseless) public discussion channel (transparent to an adversary. 
Eve {Z)). Both have independent access to an infinite stream of private ran¬ 
domness. The protocol proceeds in rounds, where in each round each party flips 
private coins, and based on the messages exchanged so far, publicly sends a mes¬ 
sage to the other party. At the end of the protocol, Alice (Bob) either accepts 
or rejects the protocol execution, and outputs a key Qx (Qy) depending on 
her (his) view of the protocol, which comprises of A" (K"), all local compu¬ 
tations, and the entire public communication (encapsulated in the RV C). The 
asymptotic maximum rate of SK distillation is called the SK rate mM- 







►g bits) 


-(? 



(a) 


(b) 


(c) 



liQ;CZ")<e 


(d) (e) 


Fig. 1. Common information duality (with communication)-, (a) Gacs and Korner’s 
setup (i?o = 0) [7] (b) Wyner’s setup [Rq = 0) [S] (c) Inverting Alice’s channel gives 
an alternative characterization of Wyner’s Cl as the communication cost of channel 
simulation without any CR {R — 0) |9lin| (d) Setup for SK agreement | 1I2I3 | (e) Setup 
for distributed simulation of pxYZ from SK and public communication mm\ 


Definition 1. The SK rate, S{X-,Y\\Z) is defined as the largest real number 
R such that for all e > 0, there exists an integer n and a randomized protocol 
IIka with communication C that with probability 1 — e, allows Alice (knowing 
X'^) and Bob (knowing to compute Qx and Qy, respectively, satisfying 
Pr{Qx = QY = Q}>l-e, H{Q) = log|Q| > n(i? - e), I(Q;CZ^) < e. 

Analogously, there exists an inverse protocol Uform, and a dual measure, 
the asymptotic minimal SK cost of formation of the triple {X,Y,Z) pxYZ 
[311516] . While the distributed channel synthesis problem [9] (setup in Fig.[TKb)) 
explores the role of CR and one-way communication in the formation of bipar¬ 
tite correlations pxY shared between honest Alice and Bob, the setup in Fig. 
flje) explores the role of secret CR (i.e., SK) and public communication in the 
distributed simulation of tripartite correlations pxYZi now additionally shared 
with an adversary Eve [ Me] , To start with, Alice and Bob share a SK in the 
form of R perfectly correlated bits, i.e., Alice has Qx and Bob, Qy such that 
Qx = Qy = Q and H{Q) = R. The goal is to approximately simulate correlated 
sequence triples of the form (A",y”,Z’"), upto a local degrading of Z". Both 
parties have independent access to sources of private randomness. The protocol 
proceeds in rounds and at the end of the communication phase, Alice and Bob 
output A" and K", respectively, as deterministic functions of their views, which 
comprises of the shared SK Q, all the private coins flipped so far, and the entire 
public communication (C). Discounting the private randomness by allowing for 













































stochastic mappings, 11 form can be specified by the joint distribution Px^yncQ 
= Px”-\CQ y^\cqPcq- The resulting simulation is “good” from Alice and Bob’s 
point of view, if they end up correctly generating the marginal However, 

Eve (^") might still have some information about This is formalized by 

requiring that Eve’s optimal channel Pz\z^ is only able to simulate the public 
communication (C) used by Alice and Bob to generate (X",F"). The following 
definition makes this precise [3]. 

Definition 2. The SK cost of formation, SKc{X',Y\Z) is the infimum of all 
numbers R> 0 such that for all e > 0, there exists an integer n and a random¬ 
ized protocol Ilform with communication C that with probability 1 — e, allows 
Alice and Bob, knowing a common random [nR\-bit string Q, to compute X" 
and F", respectively, such that Pr{(X’^,F",C') = (X",F",Z)} > 1 — e holds for 
some correlated sequence triple (X",F",F") that has generic component vari¬ 
ables (X,F,Z) ^pxYZ and some channel pz\z-^ ■ 

PXYZ contains secret correlations iff it cannot be generated by LOPC, i.e., 
SKc{X-,Y\Z) > 0 [18]. Both the SK cost of formation and the SK rate are 
measures of the secrecy content of pxYZ and admit a clear operational inter¬ 
pretation; SKc{X',Y\Z) quantifies the minimum amount of SK bits required to 
(approximately) simulate pxYZ, whereas S{X',Y\\Z) quantifies the maximum 
amount of SK bits that one can extract from pxYZ- 

Winter used resolvability-based arguments |4] to arrive at the full secret cor¬ 
relation vs. public communication trade-off for the inverse problem and defined 
the SK cost of formation with unlimited public communication as 

SKr{X;Y\Z) = min /(XF;Q|Z) (7) 

q-.X-QZ-Y 

Z-.XY-Z-Z 

where the minimum is taken over all RVs Q and Z. Cardinalities of the corre¬ 
sponding alphabets are bounded as |Q| < lAUd^l, and \Z\ < \Z\ respectively. 
SKc{X',Y\Z) is bounded from below by the intrinsic information [5], that in¬ 
tuitively speaking, measures the correlation shared between Alice and Bob that 
Eve cannot access or destroy [2]. 

I{X;YiZ)= min /(X;F|F) (8) 

Z-.XY-Z-Z 

where the cardinality of the alphabet Z of RV Z is bounded as \Z\ < \Z\ [TS] . 
Both I{X-,Y 4 , Z) and SKc{X-,Y\Z) are known to be lockable [314] . i .e., can fall 
sharply by an arbitrary large amount on giving away a single bit to Eve. 

3 Main contributions 

3.1 Wyner’s Conditional Cl and the SK Cost of Formation 

C'w(X;F) can be interpreted as the SK cost of creating a product distribution 
with Eve. Now consider Eve’s optimal channel Pz\z- To create a (public) cor¬ 
relation, Alice randomly samples Z and publicly announces the value of Z over 


a symmetric broadcast channel to Bob and Eve. Then the SK cost of creating 
the product distribution PxY\z is In this section, we introduce 

the concept of protocol monotones 16114115116117] for axiomatizing the general 
properties of upper bounds on the SK rate and show that C'w(^;K|Z) qualifies 
as such an upper bound and is a natural candidate for quantifying the SK cost 
of formation. 

When distant parties wish to establish a SK by manipulating some set of pri¬ 
vate and public resources, it is natural to restrict attention to LOPC operations. 
Since the “resourcefulness” or “secrecy content” of the state is a non-local prop¬ 
erty that cannot increase under LOPC, this set of transformations is deemed 
as a free resource. Mathematically, resources can be quantified by monotones, 
real-valued functions of joint distributions that cannot increase under LOPC. 
LOPC monotones were first introduced in as classical counterparts of en¬ 
tanglement or LOCC (local operations and classical communication) monotones 
to study the rate of resource conversion under LOPC. A resource cannot increase 
under LOPC operations by Alice and Bob. Since Eve, in her role as a malicious 
adversary is always assumed to operate optimally against Alice and Bob, the 
same resource cannot decrease under her LOPC operations mm- We define 
a monotone as follows. 

Definition 3. For all jointly distributed RVs {X,Y,Z), let M{X-,Y\Z) be a real¬ 
valued funetion of pxYZ- Then M is a monotone if the following hold: 

1 ) Monotonicity under local operations (LO) by Alice and Bob: Suppose Alice 
modifies X to X by sending X over a channel, characterized by Px^x- Then 
M. can only decrease, i.e., for all jointly distributed RVs {X,Y,Z,X) with X : 
YZ — X — X, Xi[X-,Y\Z) < M.[X-,Y\Z), and likewise for Bob. 

2) Monotonicity under public communication (PC) by Alice and Bob: Suppose 
Alice publicly announces the value of X. Then A4 can only decrease, i.e., for 
all jointly distributed RVs {X,Y,Z,X) with H{X\X) = 0, A4{X-,YX\ZX) < 
A4(X;YjZ), and likewise for Bob. 

3) Monotonicity under local operations (LO) by Eve: Suppose Eve modifies Z 
to Z by sending Z over a channel, characterized by Pz\z- Then A4 can only 
increase, i.e., for all jointly distributed RVs {X,Y,Z,Z) with Z : XY — Z — Z, 
M{X-,Y\Z) > MiX;Y\Z). 

4) Monotonicity under public communication (PC) by Eve: Suppose Eve pub¬ 
licly announces the value of Z. Then A4 can only increase, i.e., for all jointly 
distributed RVs {X,Y,Z,Z) with h(Z\Z) = 0„ M(ZX-,ZY\Z) > MiX-,Y\Z). 

5) Additivity and Continuity: A4 is additive on tensor products and is a semi¬ 
positive, continuous function ofpxYZ- A stronger notion of asymptotic conti¬ 
nuity requires that for two pmfs pxYZ, qxYZ, if TW{pxYz,qxYz) = C; then 
\A4{pxyz) — ■M.{qxY z)\ < elogd -I- (5(e), where d is some constant that depends 
on \X\, |3^| and \Z\ and (5(e) is any function that depends only on e with 5(0) = 0. 

If M satisfies the conditions in Definition 3, then AA is an upper bound on 
the SK rate mm- Upper bounds on the rate at which instances of a target 








primitive can be realized per invocation of the source primitive can be obtained 
by comparing the value of the monotone on the source and target states. Given 
the class of LOPC operations, suppose that the parties are able to convert n 


copies of pxYZ into some realization of a distribution q'xvz which is close to m 

independent realizations of the target distribution qxYZ, i-e., p®" —)• 9 ' ~ 

Then by virtue of Property (5) in Definition 3, we have, Af (p®") = nAf(p) > 
M{q') ~ mM{q), so that the optimal rate i?(p ^ q) at which transformations 


are possible is upper bounded as f [H]. Thus if p|s^ 

denotes the distribution of a perfect secret bit with p| 5 ^( 0 , 0 ,< 5 ) = p|g^(l,l,i5) = 
i, then for any pmf qxYZ, S{X;Y\\Z) = R{q p^) < = I{X;Y | Z), 


since I{S;S 4- ^) = 1, and I{X\Y 4- is a monotone [3]. Likewise i?(p® q) < 

i{x-,YiZ) ~ i(x-YiZ) ■ Hence SKc{X]Y\Z) = > I{X;Y I Z) [3]. 

Cw{X;Y\Z) violates monotonicity under LO by Ev^il and thus fails to achieve 


an upper bound on the SK rate. To preserve monotonicity under LO by Eve, 


an additional minimization is required over all stochastic maps Pz\z that can be 
chosen by Eve for locally processing her observations. This implies a minimiza¬ 
tion over all Markov chains XY — Z — Z which is tantamount to the simulation 
approximation of upto a local degrading in Z” in Definition 2 of 

the SK cost of formation. This yields a new quantity called Wyner’s intrinsic 
conditional Cl that satisfies monotonicity under Eve’s LOPC operations. 


Cw{X-,YiZ)= min Cw{X-,Y\Z) = min I{XY-,Q\Z) (9) 

Z-.XY-Z-Z Q-.X-QZ-Y 

Z-.XY-Z-Z 


The cardinality of the alphabet .Z of ^ is bounded as \Z,\ < \Z\. This can 
be shown following similar arguments as in |13) using Caratheodory’s theorem. 
Prom (6), we have |Q| < lAH^I. We now show that Cw(X;Y 4- Z) is indeed a 
monotone and hence a valid upper bound on the SK rate. 

Lemma 2. Cw{X]Y I Z) is a monotone. 

Proof. Let P2\z he the minimizer in CwiX;Y f Z). Then it suffices to show that 
CwiX-,Y\Z) satisfies monotonicity under Alice and Bob’s LOPC operations. We 
shall require the following monotonicity inequalities: (a) H{Z\f{Y)) > H{Z\Y), 
(b) I{X-Y\f{X)Z) < I{X;Y\Z). Eor all jointly distributed RVs (XYZQX) such 
that YZ — X — X and X — QZ — Y, monotonicity under LO by Alice holds since, 

I{XY;Q\Z) = H{Q\Z) - iL(Q|AyZ) < 7J(Q|Z) - H{Q\XYZ) = I{XY;Q\Z), 

and likewise for Bob. Similarly, for all jointly distributed RVs (XYZQX) such 
that H(X\X) = 0, monotonicity under PC by Alice holds since, 

~ ~ ~ ~ (b) 

I(XYX;QX\ZX) = I{XY;Q\ZX) < I{XY;Q\Z), 

^ Given jointly distributed RVs (X,Y,Z,Z) with Z : XY — Z — Z, it does not hold in 
general that Cw(X-,Y\Z) > Cw{X-Y\Z). 








and likewise for Bob. 

Additivity and continuity are valuable properties if the monotone is to pro- 
vide information on the rate of transformations p®" —>■ in the asymptotic 

limit n,TO —^ oo. It is easy to show that for independent triples (XiViZi) and 
(X 2 Y 2 Z 2 ), Cw(XiX 2 ;YiY 2 lZiZ 2 ) = Cw(Xi;YilZi) + Cw(X 2 ;Y 2 lZ 2 ). We do not 
target the stronger notion of asymptotic continuity since it is already known that 
the SK cost fails this property and admits locking [4]. □ 

Theorem 3 gives the main result of this section. 

Theorem 3. With unlimited public communication, SKc,{X',Y\Z) = Cw{X;Y 4- 
Z). Furthermore, if Pz\z optimal stochastic map achieving the minimum 

in the characterization of Cw{X\Y 4 , Z), then Cw(X;Y f Z) = I(X;Y 4 , Z) iff 
there exists a pmf pq,^xyzz sT. F[{Q'\XZ) = H{Q'\YZ) = 0 and X — ZQ' — Y. 

Proof. From (7), (9) and Lemma 2, the first equality is obvious. For the second 
equality, the “only if” part is trivial. For the “if” part, first note that 

CwiX;YiZ)= min I{XY;Q\Z) = min {I(Y;Q\XZ) + I{X;Q\Z)) 

Q-.X-QZ-Y Q-.X-QZ-Y 

Z-.XY-Z-Z Z-.XY-Z-Z 

= min {I{X-Y\Z) + I{Y-Q\XZ) + I{X-,Q\YZ)), 

Q-.X-QZ-Y 

Z-.XY-Z-Z 

where (a) follows from writing /(X;(5|.^) as I{X-,Y\Z)+I{X-,Q\YZ)—I{X-,Y\QZ), 
and noting that I{X-,Y\QZ) = 0. Then given jointly distributed RVs (XYZZQ) 
achieving the minimum in (9), if I{Y;Q\XZ) = I{X-,Q\YZ) = 0, then by 
Lemma 1, there exists a pmf Pq'\xyzz such that H{Q'\XZ) = F[{Q'\YZ) = 0, 
XY — Q'Z — Q and I{XY-,Q\Z) < F[{Q'\Z), with equality iff F[{Q'\QZ) = 0. 
Finally note that H{Q'\Z) < I{X-,Y\Z) with equality iff X — ZQ' — Y. □ 

3.2 Gacs and Korner (GK) Conditional Cl and the SK Rate 

For the general source model (with arbitrary public discussion), calculation of 
the exact SK rate remains an open problem |l|2|3|16j. Without any communi¬ 
cation, the problem is still more complicated in that even the determination of 
probability distributions that allow for the distillation of SK remains an unsolved 
problem. GK showed that in a non-communicative model, common codes of a 
pair of discrete, memoryless correlated sources cannot exploit any correlation be¬ 
yond a certain deterministic interdependence of the sources. Remarkably, they 
showed that the asymptotic case is no better than the zero error case and that 
Cck{X]Y) depends only on the zero pattern of the underlying joint distribution 
PXY- Intuitively, Cgk{X-,Y\Z) captures the most “explicit” form of secret Cl, 
i.e., the maximum amount of SK that can be extracted without any communi¬ 
cation. In this section, we construct simple distributions for which Cgk{X-,Y\Z) 
achieves a tight bound on the SK rate. We conjecture that Cgk{X-,Y\Z) quan¬ 
tifies the achievable SK rate for non-communicative key agreement models. We 
also comment on the lossless interconvertibility of secret correlations. 




Example 1. Consider the distribution p^xyz with X = y = Z = {0,1,2,3}. 
We write = (abc). Given (000) = (Oil) = (101) = (110) = 

and (222) = (333) = Graphically, Pxyz is shown in the following table 

/l(0) 1(1) . . \ 


(with Z’s value given in parentheses): Pxyz — 


1 ( 1 ) 1 ( 0 ) 


2 ( 2 ) 


Alice, Bob 


2(3)2 


and Eve each have access to this table and many independent copies of A, 
Y and Z, respectively. For each independent random experiment generating 
{X,Y,Z) ~ PxYZ^ infer Alice and Bob’s values with complete certainty, 

when she receives either 2 or 3. When she receives either 0 or 1, she can only 
infer that Alice’s and Bob’s symbols are restricted to the upper left quadrant 
(i.e., the set {0,1}), but then in this range, X and Y are uniformly distributed. 
Clearly, Alice and Bob can share no secret. Now, consider the distributions 


Pxyz — s 


^l(O) 1(1) 
1 ( 1 ) 1 ( 0 ) 


2 ( 2 ) 


and Pxyz — s 


21 ( 0 ) 1 ( 1 ) 
1 ( 1 ) 1 ( 0 ) 


2(2)2 


2 ( 0 ) 


where Eve’s 


2(1)2 


symbol set is successively depleted to Z = {0,1,2} and Z = {0,1}, respectively. 
In the latter case, Alice and Bob can realize one perfect SK bit, since Eve can 
no longer infer anything about their quadrant information (upper left or lower 
right). This intuition is borne out by C'ga:(A;F|Z), which evaluates to 0, 0.5 
and 1, respectively, for p^, p^ and p^. p^ is resolvable but not conditionally re¬ 
solvable. A distribution p'^ that is conditionally resolvable but not resolvable is 
the following: (000) = (100) = (010) = (110) = (001) = (101) = (011) = 

(111) = i, (032) = (042) = i, (252) = i, (220) = i, (221) = f Finally, 
Cgk{X]Y\Z) = 1 for the following more general distribution p^ that is nei¬ 
ther resolvable nor conditionally resolvable: (000) = (011) = (020) = (101) = 
(110) = (121) = (230) = (331) = j, where using arguments similar to 

the ones for p^, Alice and Bob can be shown to achieve one perfect SK bit. 


Example 2. Consider the following sequence of distributions: 


{pxYz)n{x,y,z) 

iqXYz)n{x,y,z) 


2 ^, if x,y G {0,...,n -1}, z = x + y (modn), 
if x G {n,...,2n — \}, y = x, z = x (modn). 

X^{pxYz)n: X ^ A, y ^ A, z ^ A, 

1 - ink’ ^ = ^ = ^’ 


where (qxYz)n is derived from {pxYz)n by extending the symbol sets {X,y,Z) 
to include an extra symbol A. Renner and Wolf [3] showed that {qxYz)n has 
asymptotic bound information, i.e., {qxYz)n is asymptotically non-distillable 
(S'(A(„);y(„)||Z(„)) = —2 0, as n —>■ oo), andyet cannot be created by LOPC, 

since S'A:c(A(„);Y(„)|Z(„)) > /(A(„);Y(„) | Z(„)) = j^(l -b \\ogn) > ^ [3]. 
Omitting the index n, for a given Z , the maximal common RV of the pair {X,Y) 
has the pmfpQ.(O) = PqA^) = 1 " = 215^’ * = + 

so that CGKiX-,Y\Z) = H{Q^,\Z) = thus achieving the SK rate. 

In both the examples above, no assumptions have been made on the nature of 
the communication protocol (or its lack thereof) between Alice and Bob. For a 




non-communicative SK agreement model, i.e. a restricted key agreement model 
where no communication is allowed between Alice and Bob, let S'o-comm(A|^) 
denote the maximum attainable rate at which a SK can be extracted by Alice 
(knowing X") and Bob (knowing K") about which Eve (knowing Z”) has virtu¬ 
ally no information. As usual, (X",y",Z"’) are independent repeated realizations 
of the random experiment pxYZ- 

Conjecture 4. For non-communicative SK agreement models, SQ-comm.iK;Y\\Z) 
= CaK{X;Y\Z). Furthermore, ifpxYZ is conditionally resolvable, then 

SQ-,omm{X-Y\\Z) = Cgk{X-Y\Z) = I{X-Y\Z). 

4 Concluding Remarks 

In summary, we have presented two results. The first result demonstrates the 
power of the framework of resource monotones for axiomatizing the general prop¬ 
erties of upper bounds on the SK rate. We showed that Cw{X-,Y\Z) violates 
monotonicity under LO by Eve, which can be used to bootstrap the definition of 
the SK cost of simulating the triple (XYZ) up to a local degrading of Z. In the 
past, a similar approach has been put to direct practical use for deriving strong 
bounds on the SK rate m- Given many independent copies of a source distri¬ 
bution [qxYz) and a target distribution of a perfect secret bit (p%sa)^ reversible 
conversion of qxYZ and PggA possible iff R{q — >■ p^)R{p^ — >• g) = I, i.e., iff 
S{X;Y\\Z) = I{X;Y i Z) and I{X-,Y i Z) = SKc{X-,Y\Z). In Theorem 3, we 
have given necessary and sufficient conditions for achieving the second equality. 
More generally, monotones can be used to derive upper bounds on the asymp¬ 
totic rate of conversion of qxYZ to any other distribution qx'Y'Z' (e.g., one 
which is relatively less favorable to Eve). Thus, resource theories hold promise 
in capturing a general calculi of secret correlations. 

In the second part, we constructed simple distributions for which the condi¬ 
tional Gacs and Korner Cl achieves a tight bound on the SK rate. The sequence 
of distributions (qxYz)n in Example 2 was originally constructed by Renner and 
Wolf [3] to show that there exists sequences of distributions with asymptotic 
bound information, i.e., asymptotically non-distillable correlations with positive 
SK cost. This is the best that has been shown so far for the bipartite case. For 
more than two parties, the possibility of creating different bipartitions across 
the honest parties immensely simplifies the problem and, indeed, multipartite 
bound information has been shown to exist |18] . Constructing distributions that 
can show the existence of bipartite bound information remains an open problem 
and a scope for future work. Another problem of independent interest is to con¬ 
sider single shot versions of the SK cost of formation and intrinsic information. 

Acknowledgments 

PKB wishes to thank Amin Gohari for valuable comments and Paul Cuff for 
short useful discussions over email. This work is based in part on PKB’s master’s 
thesis and was supported in part by the AVLSI Consortium, IIT Kharagpur. 


References 


1. Maurer, U. M.: Secret key agreement by public discussion from common informa¬ 
tion. IEEE Transactions on Information Theory, 39(3), 33-742 (1993) 

2. Maurer, U. M., Wolf, S.: Unconditionally secure key agreement and the intrinsic 
conditional information. IEEE Transactions on Information Theory, 45(2), 499-514 
(1999) 

3. Renner, R., Wolf, S.: New bounds in secret-key agreement: The gap between for¬ 
mation and secrecy extraction. In: Advances in Cryptology-EUROCRYPT 2003, 
pp. 562-577, Springer (2003) 

4. Winter, A.: Secret, public and quantum correlation cost of triples of random vari¬ 
ables. in: Proceedings of the IEEE International Symposium on Information Theory 
(ISIT 2005), pp. 2270-2274 (2005) 

5. Chitambar, E., Hsieh, M. H., Winter, A.: The Private and Public Correlation Cost 
of Three Random Variables with Collaboration. arXiv preprint arXiv:1411.0729 
(2014) 

6. Horodecki, K., Horodecki, M., Horodecki, P., Oppenheim, J.: Information theories 
with adversaries, intrinsic information, and entanglement. Foundations of Physics, 
35(12), 2027-2040 (2005) 

7. Gacs, P., Korner, J.: Common information is far less than mutual information. 
Problems of Control and Information Theory, 2(2), 149-162 (1973) 

8. Wyner, A. D.: The common information of two dependent random variables. IEEE 
Transactions on Information Theory, 21(2), 163-179 (1975) 

9. Cuff, P.: Distributed channel synthesis. IEEE Transactions on Information Theory, 
59(11), 7071-7096 (2013) 

10. Bennett, C. H., Devetak, L, Harrow, A. W., Shor, P. W., Winter, A.: The quantum 
reverse Shannon theorem and resource tradeoffs for simulating quantum channels. 
IEEE Transactions on Information Theory, 60(5), 2926-2959 (2014) 

11. Csiszar, I., Korner, J.: Information theory: coding theorems for discrete memoryless 
systems. Cambridge University Press (2011) 

12. Ahlswede, R., Korner, J.: On common information and related characteristics of 
correlated information sources. Preprint. Presented at the 7th Prague Conference 
on Information Theory (1974) 

13. Christandl, M., Renner, R., Wolf, S.: A property of the intrinsic mutual informa¬ 
tion. In: Proceedings of the IEEE International Symposium on Information theory 
(ISIT 2003), pp. 258-258 (2003) 

14. Maurer, U., Renner, R., Wolf, S.: Unbreakable keys from random noise. In: Security 
with Noisy Data, pp. 21-44, Springer (2007) 

15. Christandl, M., Ekert, A., Horodecki, M., Horodecki, P., Oppenheim, J., Renner, 
R.: Unifying classical and quantum key distillation. In: Theory of Cryptography, 
pp. 456-478, Springer (2007) 

16. Gohari, A. A., Anantharam, V.: Information-theoretic key agreement of multi¬ 
ple terminals-Part I. IEEE Transactions on Information Theory, 56(8), 3973-3996 
( 2010 ) 

17. Cerf, N. J., Massar, S., Schneider, S.: Multipartite classical and quantum secrecy 
monotones. Physical Review A, 66(4), 042309 (2002) 

18. Masanes, L., Acin, A.: Multipartite Secret Correlations and Bound Information. 
IEEE Transactions on Information Theory, 52(10), 4686-4694 (2006) 

19. Liu, R., Trappe, W. (eds.): Securing Wireless Communications at the Physical 
Layer. Springer, New York (2010) 


